Description of problem: When using an internal HTTPS repo instead of subscription-manager and HTTP server certificate is self-signed, trying to use dnf fails with a cryptic error: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Error: Failed to synchronize cache for repo 'os' -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- /var/log/dnf.log shows even cryptic backtrace: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/dnf/repo.py", line 566, in load ret = self._repo.load() File "/usr/lib64/python3.6/site-packages/libdnf/repo.py", line 503, in load return _repo.Repo_load(self) RuntimeError: Failed to synchronize cache for repo 'os' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 64, in main return _main(base, args, cli_class, option_parser_class) File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 99, in _main return cli_run(cli, base) File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 115, in cli_run cli.run() File "/usr/lib/python3.6/site-packages/dnf/cli/cli.py", line 1124, in run self._process_demands() File "/usr/lib/python3.6/site-packages/dnf/cli/cli.py", line 828, in _process_demands load_available_repos=self.demands.available_repos) File "/usr/lib/python3.6/site-packages/dnf/base.py", line 400, in fill_sack self._add_repo_to_sack(r) File "/usr/lib/python3.6/site-packages/dnf/base.py", line 135, in _add_repo_to_sack repo.load() File "/usr/lib/python3.6/site-packages/dnf/repo.py", line 568, in load raise dnf.exceptions.RepoError(str(e)) dnf.exceptions.RepoError: Failed to synchronize cache for repo 'os' 2019-05-24T09:45:02Z CRITICAL Error: Failed to synchronize cache for repo 'os' -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Administration can only understand what the real issue is by looking at /var/log/dns.librepo.log log and checking DEBUG logs: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2019-05-24T09:45:02Z DEBUG check_transfer_statuses: Transfer finished: repodata/repomd.xml (Effective url: https://<HTTPS_URL>/repodata/repomd.xml) 2019-05-24T09:45:02Z DEBUG check_transfer_statuses: Error during transfer: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://<HTTPS_URL>/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate] 2019-05-24T09:45:02Z DEBUG check_transfer_statuses: Ignore error - Try another mirror -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This needs improvment (at least this shouldn't be DEBUG level). Version-Release number of selected component (if applicable): dnf-4.0.9.2-5.el8.noarch How reproducible: Always Steps to Reproduce: 1. Use some internal HTTPS repository, self-signed or without known certificate
I created patch that prints all the errors of the individual mirrors (in this case it would be the curl error): https://github.com/rpm-software-management/dnf/pull/1492 The errors are printed only when the whole download fails, so if it's a mirrorlist with only a few unavailable mirrors, nothing is printed (but the messages are stil visible in --verbose mode and in dnf.librepo.log). Tests in ci-dnf-stack: https://github.com/rpm-software-management/ci-dnf-stack/pull/643
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1823